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DIGITAL SIGNATURE SYSTEM AND METHOD BASED ON 
HARD LATTICE PROBLEM 



BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The present invention relates generally to systems and methods for producing 
digital signatures based on the hardness of solving a worst-case lattice problem. 

2. Description of the Related Art 

Digital signatures are used for many applications, including verifying the 
identity of the sender of a message. Most digital signature schemes rely on the 
difficulty of factoring a large number obtained as a product of two large prime 
numbers, or on computing discrete logarithms. 

Goldreich et al. proposed using lattice reduction problems as a basis for 
producing digital signatures in Advances in Cryptography - CRYPTO, Springer 
LNCS , 1294:112-131 (1997). A lattice is a collection of points in n-dimensional 
space which satisfy certain properties, including (1) zero is in the set; (2) if a, b are 
in the set, then a+b, a-b are also in the set; (3) the lattice is generated by at least one 
finite basis, i.e., there exists a finite set (called a "basis'*) such that every point in the 
lattice is expressible as an integer linear combination of the elements in the basis. The 
"length" of a basis is the length of the longest vector in the basis. It happens that a 
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lattice typically can be defined using one of many bases, with the shortest basis being 
hard to find when the number "n" of dimensions becomes large. 

Accordingly, the present invention recognizes that in a lattice-based digital 
signature scheme, an n-dimensional lattice can be generated that has a hard-to-find 
short basis, which is used as a sender's private key to sign a message by mapping the 
message to a point in the n-dimensional space. A recipient of the message can access 
a public key - the lattice with a relatively long basis - to verify the sender's identity 
by verifying the location of the message in the n-dimensional space. Unfortunately, 
the scheme disclosed by Goldreich et al., as admitted by Goldreich et al., might result 
in mapping two messages close together in the n-dimensional space, which would 
defeat the scheme as to those two messages because both messages would have the 
same digital signature. 

In the present assignee's U.S. Patent No. 5,737,425 to Ajtai, incorporated 
herein by reference, an interactive message authentication system is disclosed which 
uses lattices. Although directed primarily to message authentication, the '425 patent 
discloses a method for deriving a lattice with a short basis. As recognized by the 
present invention, however, a digital signature system, unlike a message authentication 
system, must provide irrefutability of a signature, such that a recipient of a message 
can show a message to a third party to prove the identity of the signer of the message, 
a feature not generally required in message authentication systems. The requirement 
of irrefutability is particularly important in e-commerce applications. Moreover, the 
invention disclosed in Ajtai is interactive, which in the context of digital signatures 
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could render it susceptible to so-called "intruder in the middle" attacks. With the 
above recognitions in mind, the present invention has provided the inventive solutions 
disclosed below. 

SUMMARY OF THE INVENTION 

A computer-implemented method is disclosed for digitally signing data. The 
method includes generating a lattice X having at least one short basis establishing a 
private key and at least one long basis establishing a public key. Further, the method 
includes mapping at least the message \i or a concatenation thereof to a message point 
"x" in n-dimensional space using a function "f". The function "f" is selected such that 
the possibility of mapping two messages close together in the space is infeasible. 
Using the short basis, a lattice point "y" of the lattice is found that is close to the 
message point "x". 

In a preferred embodiment, at least the message point "x" and the lattice point 
"y" are returned as a digital signature. If desired, the function "f ' can be randomized 
by concatenating the message \i with a random number p. Both the message ju and 
random number p are binary strings. 

In one embodiment, the function "f ' maps the message \i to a point on a grid. 
In this embodiment, the function "f" can be collision intractable, the collision 
intractability of which is derived from the hardness of lattice problems. In another 
embodiment, the function "f is collision intractable. In still another embodiment, the 
function "f" maps at least the message to a point on an auxiliary lattice. 
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The present method can also include verifying a digital signature at a receiver 
computer at least in part by determining whether a difference between the lattice point 
"y" and the message point "x" is no more than a predetermined distance. The 
predetermined distance can be related to the number of dimensions in the lattice X. 

In another aspect, a computer program storage device includes a program of 
instructions for generating a digital signature for a message. The program of 
instructions in turn includes computer readable code means for mapping a message \i 
or a concatenation with a random string p to a message point "x" in n-dimensional 
space, with the message point "x" being a point of a grid or a point of an auxiliary 
lattice. Also, computer readable code means find a point "y" of a key lattice SE that 
is nearby the message point "x", and computer readable code means establish a digital 
signature, based at least on the points "x" and "y M . 

In still another aspect, a computer system for generating a digital signature of 
a message \i includes at least one sender computer. The sender computer includes 
logic for executing method steps that include mapping the message |itoa message 
point "x" at which it is not feasible to map any other message. Moreover, the logic 
of the sender computer finds a lattice point "y" that is relatively close to the message 
point "x M , and then the logic transmits at least the message \i and the points "x" and 
"y". Further, the system includes at least one receiver computer that receives the 
message |u and points "x" and "y" and that executes logic including determining 
whether a distance between the points "x" and "y" is related in a predetermined way 
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to a predetermined distance. Based thereon, it is determined whether the message \i 
has been properly signed. 

In yet another aspect, a computer-implemented method for digitally signing 
data includes generating a lattice 56 having at least one short basis and at least one 
long basis. The method also includes mapping at least the message or a 
concatenation thereof to a message point "x" in n-dimensional space. The message 
point "x" is an element of a set of spaced-apart points. Using the short basis, a lattice 
point "y" of the lattice X is found that is close to the message point V. 

The details of the present invention, both as to its structure and operation, can 
best be understood in reference to the accompanying drawings, in which like reference 
numerals refer to like parts, and in which: 

BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a block diagram of the present system; 

Figure 2 is a flow chart of the logic used during generation of a lattice-based 
digital signature; and 

Figure 3 is a flow chart of the logic for verifying the digital signature. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

Referring initially to Figure 1, a preferably non-interactive system for 
generating digital signatures based on lattice problems is shown, generally designated 
10. Because the preferred system 10 is non-interactive, it is immune from so-called 
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"intruder in the middle' 1 attacks. In the particular architecture shown, the system 10 
includes a sender computer 12 that executes a software- implemented digital signature 
module 14 in accordance with the logic below to digitally sign messages. As shown 
in Figure 1, the sender computer 12 can send a message |u, a message point n x", a 
lattice point "y"? and, if desired, a randomly generated number p in accordance with 
the disclosure below to a receiver computer 16. In turn, the receiver computer 16 
executes a receiver module 18 to verify the signature. 

It is to be understood that the logic disclosed herein may be executed by a 
processor as a series of computer-executable instructions. The instructions may be 
contained on a data storage device with a computer readable medium, such as a 
computer diskette. Or, the instructions may be stored on a DASD array, magnetic 
tape, conventional hard disk drive, electronic read-only memory, optical storage 
device, or other appropriate data storage device. In an illustrative embodiment of the 
invention, the computer-executable instructions may be lines of compiled C ++ 
compatible code. 

In any case, the flow charts herein illustrate the structure of the modules of the 
present invention as embodied in computer program software. Those skilled in the 
art will appreciate that the flow charts illustrate the structures of computer program 
code elements including logic circuits on an integrated circuit, that function according 
to this invention. Manifestly, the invention is practiced in its essential embodiment 
by a machine component that renders the program code elements in a form that 
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instructs a digital processing apparatus (that is, a computer) to perform a sequence of 
function steps corresponding to those shown. 

Figure 2 shows the logic of the digital signature module 14. The following 
notation is used for the below discussion. The notation that x G R X means that the 
number "x" is chosen uniformly randomly from the set X. For a binary string x, the 
symbol | x | denotes its length. For binary strings x, y, the symbol x o y denotes 
their concatenation. All distances and norms are assumed to be Euclidean. For all 
integers a, b >0, the notation Z a c is the set of all a-tuples of integers in the set 
{0,l,...,c-l}. Similarly, Z axb c is the set of all matrices of "a" rows and "b" columns 
whose elements are integers in the set {0,l,...,c-l}. For a set b Iv ..b n of vectors, 
denotes the lattice of all integer linear combinations of b l5 ...b n , with the vectors 
establishing a "basis" of the lattice $E. The length of a basis is the Euclidean norm 
of the length of the longest vector in the basis. Finally, the symbol [x] denotes the 
integer portion of a number x. 

With the above discussion in mind, commencing at block 20 in Figure 2, a 
lattice is generated that has a short basis and at least one long basis. The lattice 
X preferably is generated using the principles set forth in the present assignee's U.S. 
Patent No. 5,737,425 to Ajtai. It is to be understood that the short basis of the lattice 
5£ is generated along with the lattice, but that once the lattice is known, it is a difficult 
if not impossible problem to reverse engineer the short basis. The long basis of the 
lattice, accordingly, is published as the public key at block 22 and the short basis is 
maintained in secrecy as the private key of the present digital signature scheme. 
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In any case, in the preferred method for generating the lattice i£, set forth in 
the above-referenced patent, a variable "r" is selected that is sufficiently large such 
that the worst-case problems discussed in Ajtai, "Generating Hard Instances of Lattice 
Problems", Proc, 28 th ACM Symposium on Theory of Computing , pages 99-108 
(1996) and incorporated herein by reference, are hard. Moreover, variables c L1 and 
c L2 are selected such that it is infeasible to find vectors of length r 3 in n-dimensional 
lattices constructed in accordance with the above-referenced patent. Preferably, c L2 
> 9 and c Li > c L2 . 

Letting n = c L1 r(log r), finding vectors of length r 3 is infeasible in the n- 
dimensional lattice X that is created at block 20, assuming that certain worst-case 
lattice problems are hard in lattices of dimension n. Further, let q L be the least odd 
integer satisfying q L > [r cL2 ], let K = r 3 , and let M = (nq L ) 1/2 . The preferred key lattice 
X is a random lattice in r'(n,M) as defined in the above-referenced patent, where an 
efficient construction of the lattice is also described that has a short basis generated 
along with it having a length of at most K/3n. In contrast, the public (long) basis 
preferably is at most of length M 

When the sender computer 12 desires to send a message |i, it enters a DO loop 
at block 24. Moving to block 26, the logic can, if desired, concatenate the message 
\x with a random string p. Then, proceeding to block 28, the message \x (or, more 
preferably, the concatenation \x o p) is mapped to a message point "x" in n- 
dimensional space using a function "f that is chosen such that it is infeasible that two 
messages would be mapped close to each other in space. "Close" is defined further 
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below in the context of the two grid-based mapping methods and one auxiliary lattice- 
based mapping method. 

More specifically, for the grid-based methods, assume that A is an n- 
dimensional grid of size "d", where the preferred d = r 4 . Also, let I = n 3 q L , and let 
the above-mentioned function "f be established by a mapping hash function H: {0,1 } n 
— ► {0,1 }K Further assume that the magnitude of the message is one-half n, i.e., that 
| (i | = n/2. First, p is selected from the set {0,1 j" 72 , and then the message point "x" 
is determined as an n-tuple of integers multiplied by "d" as follows: x = H((i o p)d. 
If the message point "x" as computed happens to be a point on the key lattice ££, the 
process above repeats with a new random string p. 

In a first implementation of the grid-based method, the mapping function H 
is any hash function that satisfies the so-called Magic Hash Function condition that 
there exists an efficiently and publicly computable function that behaves like a random 
oracle. Some combination of hash functions such as Message Digest 5 (MD-5), 
"Sha", and "Snefru" are assumed to approximate the Magic Hash Function. Such a 
function is not collision- intractable. 

In a second implementation of the grid-based method, the mapping function 
H is a collision-intractable function, preferably a lattice-based hash function, wherein 
c Ll and c L2 have the property that it is infeasible to find vectors of length r 3 in the 
lattice described in the above-referenced Ajtai publication. In this implementation, 
assume that q H is the least odd integer satisfying q H > [r cL2 ~ 4 ]. The output of the hash 
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function is n-tuples of integers in the set {Q,l,...,q H _ { }. Further assume that c H2 = c L2 
+4, and c H1 = c Ll5 so that n = c H1 rlog(r) = c L1 rlog(r), 

With the above definitions in mind, in the grid-based collision intractable 
embodiment, the mapping function H G R Z rxn qH , and a variable m is a vector in Z n 2 
that is an element of {0,1 } n . With this notation, H(m) = Hm mod q H G Z r qH , the 
output of which function is an r-tuple of integers in Z qH . This output is interpreted 
as n integers of equal length, i.e., as a point in Z n . As understood herein, it is 
computationally infeasible to find vectors of length "n" in the n-dimensional lattice of 
vectors = x G {0,1 } n such that Hx = 0 mod q H . In other words, finding vectors of 
length r 3 > n in the lattice of vectors defined by x G {0,1 } n is computationally 
infeasible. Moreover, it is to be appreciated that the collision intractability of the 
function "f ' as implemented in the last of the above-disclosed grid-based mapping 
methods, and in the below-disclosed auxiliary lattice mapping method, is derived from 
the hardness of lattice problems. 

As mentioned above, instead of using either of the two grid-based methods set 
forth above, a mapping using an auxiliary lattice can be undertaken at block 28. In 
this embodiment, assume that "A" is an n-dimensional auxiliary lattice chosen 
according to the same distribution as the key lattice SE is chosen. Accordingly, c A1 = 
c L1 and n = c A1 rlog(r), q A = q H , and it is easy to find a basis for the auxiliary lattice 
A of length M = (nq A ) y \ Let P be a public matrix whose columns are the above- 
disclosed long basis vectors for the auxiliary lattice A. 
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With the above definitions in mind, the message [x is concatenated, if desired, 
with the random string p as before at block 26, but then at block 28 the message point 
"x" is determined by multiplying the concatenation by the public matrix P. If the 
message point x is found to be an element of the key lattice i£, another random string 
p is selected and the process repeats. 

In any case, it is to be appreciated that in the grid-based or lattice-based 
mapping schemes disclosed above, the message \x is mapped to a message point "x" 
that is a point on a grid or a lattice. In other words, in contrast to previous lattice 
mapping schemes the message point "x" must be an element of a set of points that are 
spaced apart from each other in n-dimensional space, such that no two points in the 
set are close together. This makes it infeasible that any two messages will be mapped 
to locations that are sufficiently close together so as to make a single signature apply 
to both. 

Once the message has been mapped to the message point, the logic moves 
from block 28 to block 30, wherein a closest point M y" of the key lattice ££? to the 
message point M x" is determined, using the (private) short basis of the key lattice 5£. 
Specifically, using the short basis, a point y & X is obtained such that | | x-y | | 
< nK/(3n) (which, it will be recalled, = r 3 /3) by writing x as a linear (possibly non- 
integral) combination of vectors in the short basis, each of which has a length of at 
most K/(3n), and then rounding the coefficients to get y G ££. Then, at block 32, the 
message ji, random string p (if used), message point "x'\ and closest lattice point "y" 
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are output for transmission of the message with lattice-based digital signature to the 
receiver computer 16. 

Figure 3 shows that logic by which the receiver module 18 of the receiver 
computer 16 verifies the signature output at block 32. Commencing at block 34, the 
message \i, random string p (if used), message point "x", and closest lattice point f, y" 
are received. Moving to block 36, it is verified, using the long basis, that the lattice 
point "y" is indeed a point on the key lattice ££. If desired, it can be further verified 
that jn o p GZ n 2 . When a grid-based mapping method is employed, it can be further 
verified that x == H(|i o p)d, whereas when an auxiliary lattice mapping method is 
used it can be verified that x = P(|i o p). 

Moreover, using the long basis the receiver computer 16 moves to block 38 
to verify that the message point "x" is indeed close to the lattice point "y M . In a 
particularly preferred embodiment, this is done by verifying that | ] x-y | | < r73. 
More generally, at block 38 it is determined whether a difference between the lattice 
point "y" and the message point M x" is no more than a predetermined distance. If any 
test fails, it can be determined that the message \i has not been properly signed. 

While the particular DIGITAL SIGNATURE SYSTEM AND METHOD 
BASED ON HARD LATTICE PROBLEM as herein shown and described in detail 
is fully capable of attaining the above-described objects of the invention, it is to be 
understood that it is the presently preferred embodiment of the present invention and 
is thus representative of the subject matter which is broadly contemplated by the 
present invention, that the scope of the present invention fully encompasses other 
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embodiments which may become obvious to those skilled in the art, and that the scope 
of the present invention is accordingly to be limited by nothing other than the 
appended claims, in which reference to an element in the singular is not intended to 
mean "one and only one" unless explicitly so stated, but rather "one or more". All 
structural and functional equivalents to the elements of the above-described preferred 
embodiment that are known or later come to be known to those of ordinary skill in 
the art are expressly incorporated herein by reference and are intended to be 
encompassed by the present claims. Moreover, it is not necessary for a device or 
method to address each and every problem sought to be solved by the present 
invention, for it to be encompassed by the present claims. Furthermore, no element, 
component, or method step in the present disclosure is intended to be dedicated to the 
public regardless of whether the element, component, or method step is explicitly 
recited in the claims. No claim element herein is to be construed under the provisions 
of 35 U.S.C. §112, sixth paragraph, unless the element is expressly recited using the 
phrase "means for". 
WE CLAIM: 
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CLAIMS 



1 LA computer-implemented method for digitally signing data, comprising: 

2 generating a lattice having at least one short basis establishing a 

3 private key and at least one long basis establishing a public key; 

4 mapping at least the message |a or a concatenation thereof to a message 

5 point V in n-dimensional space using a function M f ' rendering infeasible the 

6 possibility of mapping two messages close together in the space; and 

3 using the short basis, finding a lattice point "y" of the lattice that is 

:i close to the message point "x". 

ril 2. The method of Claim 1, further comprising returning at least the 

12 message point n x" and the lattice point "y" as a digital signature. 

yi 3. The method of Claim 2, further comprising randomizing the function 

2 "f\ 

1 4. The method of Claim 3, wherein the function "f is randomized by 

2 concatenating the message \i with a random number p. 

1 5. The method of Claim 1, wherein the function "f f maps the message \x 

2 to a point on a grid. 
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1 6. The method of Claim 5, wherein the function "f ' is collision intractable. 

1 7. The method of Claim 6, wherein the collision intractability of the 

2 function "f 1 is derived from the hardness of lattice problems. 

1 8. The method of Claim 5, wherein the function "f is not collision 

2 intractable. 



f|~ 9. The method of Claim 1, wherein the function "f f maps at least the 

§(f message to a point on an auxiliary lattice. 

0 10. The method of Claim 1 , further comprising verifying a digital signature 
!? at least in part by determining whether a difference between the lattice point "y" and 
S£ the message point "x" is no more than a predetermined distance. 

1 11. The method of Claim 10, wherein the predetermined distance is related 

2 to the number of dimensions in the lattice $E. 

1 1 2. A computer program storage device including a program of instructions 

2 for generating a digital signature for a message, the program of instructions including: 
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3 computer readable code means for mapping a message [i or a 

4 concatenation thereof to a message point "x" in n-dimensional space, the 

5 message point "x" being a point of a grid or a point of an auxiliary lattice; 

6 computer readable code means for finding a point "y" of a key lattice 

7 X that is nearby the message point "x"; and 

8 computer readable code means for establishing a digital signature, based 

9 at least on the points M x" and "y". 

13. The computer program storage device of Claim 12, wherein the means 

J8 for mapping uses a function "f rendering infeasible the possibility of mapping two 

|j3 messages close together in the space, and wherein the means for finding includes 

fll using a hard to find short basis of the key lattice 5£. 

r 2 14. The computer program storage device of Claim 13, further comprising 

f$> means for randomizing the function "f 

1 15. The computer program storage device of Claim 14, wherein the 

2 function M f is randomized by concatenating the message |i with a random number p. 

1 16. The computer program storage device of Claim 12, wherein the 

2 function "f 1 maps the message \x to a point on a grid, and wherein the function "f 1 is 
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3 collision intractable, the collision intractability being derived from the hardness of 

4 lattice problems. 

1 17. The computer program storage device of Claim 12, wherein the 

2 function "f 1 is not collision intractable. 

1 18. The computer program storage device of Claim 13, wherein the 

2 function "f ' maps at least the message to a point on an auxiliary lattice. 

35 19. A computer system for generating a digital signature of a message |i, 

yi comprising: 

111 at least one sender computer including logic for executing method steps 

;4 including: 

\$ mapping the message ji to a message point "x" at which it is 

'f$ not feasible to map any other message; 

7 finding a lattice point "y" that is relatively close to the message 

8 point "x"; and 

9 transmitting at least the message \x and the points "x" and rt y"; 

10 at least one receiver computer receiving the message \x and points "x" 

1 1 and "y M and including logic for executing method steps including: 

12 determining whether a distance between the points "x" and "y M 

13 is related in a predetermined way to a predetermined distance, and 
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14 based thereon determining whether the message u has been properly 

1 5 signed. 

1 20. The system of Claim 19, wherein the mapping act is undertaken using 

2 a function "f ' that maps the message point "x" to a point of a grid or of an auxiliary 

3 lattice, and further wherein the lattice point "y" is a member of a lattice X, and the 

4 finding act is undertaken using a hard-to-find short basis of the lattice 

h 21 ■ The system of Claim 20, wherein the acts undertaken by the logic of 

% tne sender computer further comprise randomizing the function "f by concatenating 

$4. the message u with a random number p. 

1=1 22. The system of Claim 20, wherein the function "f is collision 

\& intractable. 

1 23. The system of Claim 22, wherein the collision intractability of the 

2 function "f ' is derived from the hardness of lattice problems. 

1 24. The system of Claim 20, wherein the function "f is not collision 

2 intractable. 
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1 25. The system of Claim 20, wherein the predetermined distance is related 

2 to the number "r" of dimensions in the lattice 56. 

1 26. A computer-implemented method for digitally signing data, comprising: 

2 generating a lattice <£ having at least one short basis and at least one 

3 long basis; 

4 mapping at least the message (a or a concatenation thereof to a message 

5 point V in n-dimensional space, the message point "x" being an element of 
£3 a set of spaced-apart points; and 

|f using the short basis, finding a lattice point "y" of the lattice i£ that is 

gj? close to the message point "x". 



jp 27. The method of Claim 26, wherein the mapping is undertaken using a 

fe* function "f \ 

1 28. The method of Claim 27, further comprising randomizing the function 

2 "f ' by concatenating the message \x with a random number p. 

1 29. The method of Claim 27, wherein the function "f 1 maps the message 

2 [x to a point on a grid. 
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1 30. The method of Claim 29, wherein the function "f ! is collision 

2 intractable. 

1 31. The method of Claim 30, wherein the collision intractability of the 

2 function "f ? is derived from the hardness of lattice problems. 

1 32. The method of Claim 29, wherein the function "f * is not collision 

2 intractable. 

|2 33. The method of Claim 27, wherein the function "f maps at least the 

2 message to a point on an auxiliary lattice. 

34. The method of Claim 26, further comprising verifying a digital 

W signature at least in part by determining whether a difference between the lattice point 

® "y M and the message point "x" is no more than a predetermined distance. 

1 35. The method of Claim 34, wherein the predetermined distance is related 

2 to the number of dimensions in the lattice X. 
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DIGITAL SIGNATURE SYSTEM AND METHOD BASED ON 
HARD LATTICE PROBLEM 
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I believe I am the original, first and sole inventor (if only one name is listed below) or an original, first and joint inventor (if plural names are listed below) of the 
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was filed on „ 

as United States Application Number or PCT International Application Number 
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Address all telephone calls to: Address all correspondence to: 
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Rogitz & Associates 

(61 9) 338-8075 750 B Street, Suite 31 20 

San Diego, California 92101 

i hereby declare that all statements made herein of my own knowledge are true and that all statements made on information and belief are believed to be true; 
and further that these statements were made with the knowledge that willful false statements and the like so made are punishable by fine or imprisonment, or both, 
under Section 1 001 of Title 1 8 of the United States Code and that such willful false statements may jeopardize the validity of the application or any patent Issued 
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Date. 
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Full name of second inventor: SHANMUGASUNDARAM RAVIKUMAR 



Inventor's signature: 
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Full name of third inventor: AM IT SAHAI 

Inventor's signature. Date- 
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Citizenship: United States Post Office Address: Same 

/////////////////^ 



Page 1 of 2 



Docket No. AM9-99-0138 



DECLARATION AND POWER OF ATTORNEY FOR PATENT APPLICATION 



iiiitiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiim 

As a below named inventor, I hereby declare that 

My residence, post office address and citizenship are as stated below next to my name 

I believe I am the original, first and sole inventor (if only one name is listed below) or an original, first and joint inventor (if plural names are listed below) of the 
subject matter which is claimed and for which a patent is sought on the invention entitled 

DIGITAL SIGNATURE SYSTEM AND METHOD BASED ON HARD LATTICE PROBLEM 

the specification of which is attached hereto unless the following box is checked: 
was filed on 

as United States Application Number or PCT International Application Number 

and was amended on (if applicable). 

I hereby state that I have reviewed and understand the contents of the above identified specification, including the claims, as amended by any amendment 
referred to above. 

I acknowledge the duty to disclose information which is material to patentability as defined in 37 CFR §1 .56 

1 hereby claim foreign priority benefits under 35 USC §1 19(a-d) or §365{b) of any foreign application(s) for patent or inventor's certificate, or §365(a) of any 
PCT International application which designated at least one country other than the United States, listed below and have also identified below, by checking the 
box, any foreign application for patent or inventor's certificate, or PCT International application having a filing date before that of the application on which 
priority is claimed. 

Prior Foreign Application(s): Priority Not Claimed 



(Number) (Country) (Day/Month/Year Filed) 

I hereby claim the benefit under 35 USC §1 19(e) of any United States provisional application(s) listed below: 

Provisional Application(s): 

(Application Number) {Filing Date) 

I hereby claim the benefit under 35 USC §120 of any United States applications), or §365(c) of any PCT Internationa! application designating the United 
States, listed below and, insofar as the subject matter of each of the claims of this application is not disclosed in the prior United States or PCT Internationa! 
application in4he manner provided by the first paragraph of 35 USC §1 12, 1 acknowledge the duty to disclose information which is material to patentability as 
defined in 37 CFR §1.56 which became available between the filing date of the prior application and the national or PCT Internationa! filing date of this 
application. 



(Application Number) (Filing Date) (Status - patented, pending, abandoned) 

Power of Attorney: 

| hereby appoint the following attorney(s) and/or agent{s) to prosecute this application and to transact ali business in the Patent and Trademark Office 
connected therewith: 

Thomas R. Berthold (#28,689) 

Richard M. Ludwin (#33,010) 

Marc D. McSwain (#44,929) 

Khanh Q. Tran (#41 ,352) 

John L. Rogitz (#33,549) 

Alison D. Mortinger (#39,306) 



Page 2 of 2 Docket No - AM9-99-0138 

DECLARATION AND POWER OF ATTORNEY FOR PATENT APPLICATION 

///////////////////////^^^^ 

Address all telephone calls to: Address all correspondence to: 

John L Rogitz John L. Rogitz 

Rogitz & Associates 

(61 9) 338-8075 750 B Street, Suite 31 20 

San Diego, California 92101 

I hereby declare that all statements made herein of my own knowledge are true and that all statements made on information and belief are believed to be true, 
and further that these statements were made with the knowledge that willful false statements and the like so made are punishable by fine or imprisonment, or both, 
under Section 1 001 of Title 18 of the United States Code and that such willful false statements may jeopardize the validity of the application or any patent issued 
thereon. 

iiiiiiiiiiwiiiiwiiiiwiiiiwiiiiiiiiiiiiiiimiim 

Full name of sole or first inventor: CYNTHIA DWORK 



Inventor's signature. Date 



Resident. 425 Upper Terrace, #3, San Francisco, California 941 1 7 



Citizenship: United States Post Office Address: Same 

/////////////////////////OT^^^ 

Full name of second inventor: SHANMUGASUNDARAM RAVIKUMAR 



Inventor's signature: Date: 



Residence: 



5460 Lean Avenue, Apt. #202, San Jose, California 95123 



Citizenship: India Post Office Address: Same 

iiiiwmiiiniiiiiiiiiiiiiiiiiiiwiiiiiiiiiiiiiii^ 

Full name of third inventor: AMIT SAHAI 





Inventor's signature. LA^JXI /[( ^7 r Date 1 1 /*t / <? <f 



bit 



Residence: Laboratory for Computer Science, M.I.T., Cambridge, Massachusetts 021 39 



Citizenship: United States Post Office Address. Same 

///////////////////////////^^^^ 



